148 shares, 170 points


PEM is a container file format usually used to retailer cryptographic keys. It’s used for a lot of various things, because it merely defines the construction and encoding kind of the file used to retailer a bit of knowledge.

What Is a PEM File?

PEM is simply a regular; they include textual content, and the format dictates that PEM recordsdata begin with…

-----BEGIN <kind>-----

…and finish with:

-----END <kind>-----

Everything in between is base64 encoded (uppercase and lowercase letters, digits, +, and /). This varieties a block of knowledge that can be utilized in different applications. A single PEM file can include a number of blocks.

This can be utilized to signify all types of knowledge, however it’s generally used to encode keyfiles, resembling RSA keys used for SSH, and certificates used for SSL encryption. The PEM file will let you know what it’s used for within the header; for instance, you may see a PEM file begin with…


…adopted by a protracted string of knowledge, which is the precise RSA non-public key.

PEM Files with SSL Certificates

PEM recordsdata are used to retailer SSL certificates and their related non-public keys. Multiple certificates are within the full SSL chain, and so they work on this order:

  • The end-user certificates, which is assigned to your area identify by a certificates authority (CA). This is the file you utilize in nginx and Apache to encrypt HTTPS.
  • Up to 4 non-obligatory intermediate certificates, given to smaller certificates authorities by greater authorities.
  • The root certificates, the best certificates on the chain, which is self-signed by the first CA.

In apply, every certificates is listed in a PEM file, utilizing seperate blocks:


You’ll be given these recordsdata out of your SSL supplier to be used in your internet server. For instance, LetsEncrypt’s certbot generates the next certificates, positioned in /and so forth/letsencrypt/reside/your-domain-name/ :

cert.pem chain.pem fullchain.pem privkey.pem
  • cert.pem is the end-user certificates.
  • chain.pem is the remainder of the chain; on this case, it’s solely LetsEncrypt’s root certificates.
  • fullchain.pem is cert.pem and chain.pem mixed. This is the file handed to nginx with the ssl_certificate directive.
  • privkey.pem is an RSA non-public key generated alongside the certificates.

These can also use the .crt extension; for those who’ve self-signed a certificates with OpenSSL, you’ll get a CRT file slightly than PEM, although the contents will nonetheless be the identical, and the utilization would be the identical.

To use your certificates, you’ll need to cross them as parameters to your internet server. For nginx, you’ll wish to specify the ssl_certificate (the total chain PEM file), and ssl_certificate_key (the RSA non-public key PEM file), after turning on SSL:

ssl_certificate /and so forth/letsencrypt/reside/yourdomain/fullchain.pem;
ssl_certificate_key /and so forth/letsencrypt/reside/yourdomain/privkey.pem;

For Apache, setup is basically the identical, however you’ll want to make use of the SSLCertificateFile and SSLCertificateKeyFile directives:

SSLCertificateFile /and so forth/letsencrypt/reside/yourdomain/fullchain.pem
SSLCertificateKeyFile /and so forth/letsencrypt/reside/yourdomain/privkey.pem

PEM Files with SSH

PEM recordsdata are additionally used for SSH. If you’ve ever run ssh-keygen to make use of ssh with out a password, your ~/.ssh/id_rsa is a PEM file, simply with out the extension.

Most notably, Amazon Web Services provides you a PEM file containing a personal key everytime you create a brand new occasion, and it’s essential to use this key to have the ability to SSH into new EC2 cases.

RELATED: How to Add Your EC2 PEM File to Your SSH Keychain

You’ll have to make use of the -i flag with ssh to specify that you just wish to use this new key as a substitute of id_rsa:

ssh -i keyfile.pem root@host

This will signal you in to the server as regular, however you’ll need to specify this flag every time.

An simpler methodology is so as to add the non-public key to your ssh-agent with ssh-add:

ssh-add keyfile.pem

However, this doesn’t persist throughout reboots, so that you’ll must run this command on startup or add it to your macOS keychain.

Of course, you may additionally at all times merely append your main public key to the occasion’s ~/.ssh/authorized_keys after you’ve signed in as soon as, however this methodology ought to work out of the field for any new cases going ahead.

It’s value noting that it’s best to nonetheless lock down your SSH server even for those who’re utilizing keys your self.

RELATED: What is SSH Agent Forwarding and How Do You Use It?

Like it? Share with your friends!

148 shares, 170 points

What's Your Reaction?

confused confused
lol lol
hate hate
fail fail
fun fun
geeky geeky
love love
omg omg
win win